Skip to main content
Sandbox Agent is the main workhorse for active security testing. It has full access to the sandbox environment and the complete security toolchain, handling everything from running scans and executing scripts to managing files and capturing network traffic.

What it does

  • Command and script execution: runs CLI tools, custom scripts, and curl commands inside the sandboxed environment
  • Full security toolchain: access to nuclei, nmap, ffuf, sqlmap, and the full suite of ProjectDiscovery and open-source security tools
  • File management: reads, writes, edits, and organizes files produced during testing
  • Network traffic capture and replay: intercepts and replays HTTP traffic for analysis and exploit development
  • Web exploitation toolkit: OOB callbacks, SSRF, XXE, DNS rebinding, redirects, polyglot payloads, and email-based test infrastructure
  • VPN management: connects and disconnects VPN for testing internal and isolated network targets
  • SSH execution: runs commands over SSH connections to reach targets that require it
  • Working memory: tracks todos, facts, insights, and files across the task lifecycle

How it fits in

Most hands-on testing flows through Sandbox Agent. It is the default execution environment for active scanning, exploit development, and anything requiring direct tool use. In Thorough mode, multiple Sandbox Agent instances can run in parallel under Agent Swarm coordination.